e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d

General

Target

e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe
Size

6.3MB
MD5

a36d41f2e8210c0da3814b8e9a15500d
SHA1

e3fba49fd246e3580bca587982a0f9ee820a582d
SHA256

e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d
SHA512

66d27c8d3fe43ffd0e3d10b70a6e9fdbf8ccc7d22efd0db98d7113330d85653f6d25a347dc9030f114322ba0cb348c0580ca96fdf7cdfc2873e43eaba1d51b79
SSDEEP

98304:HyBEvyd0JkMzAo/Tsl03kxD7EhHwwsrfYbQa8vCMTXeXgAg:S0JkMzAo/Th0xD7Kts0t8vLX5Ag

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DocumentSaver.exe

Executes dropped EXE 1 IoCs

pid	Process
3040	DocumentSaver.exe

Loads dropped DLL 1 IoCs

pid	Process
3040	DocumentSaver.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 3040	1816	e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe	88
PID 1816 wrote to memory of 3040	1816	e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe	88
PID 3040 wrote to memory of 2116	3040	DocumentSaver.exe	99
PID 3040 wrote to memory of 2116	3040	DocumentSaver.exe	99
PID 3040 wrote to memory of 1364	3040	DocumentSaver.exe	101
PID 3040 wrote to memory of 1364	3040	DocumentSaver.exe	101

C:\Users\Admin\AppData\Local\Temp\e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe
"C:\Users\Admin\AppData\Local\Temp\e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\DocumentSaver.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\DocumentSaver.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Del SQLite.Interop.dll
    3⤵
    PID:2116
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Del C:\Users\Admin\AppData\Local\Temp\RarSFX0\DocumentSaver.exe
    3⤵
    PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DocumentSaver.exe

Filesize
5.2MB

MD5
cf7eb797b63e8322269eb8281975af53

SHA1
beff0874841fc49e458f9fbfb04664143535bf32

SHA256
710faabf217a5cd3431670558603a45edb1e01970f2a8710514c2cc3dd8c2424

SHA512
a22e79c05cb3848a8810cfa18380b7bd7af31b4b5b5c816710bfd6950f0c2d69c20db78a319ce3134b302033d1209868eff4d46e9fbcf2066a2e10f9c23f64f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SQLite.Interop.dll

Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
memory/3040-23-0x000001CFDCCB0000-0x000001CFDCCD6000-memory.dmp

Filesize
152KB

Download
memory/3040-26-0x000001CFDCE30000-0x000001CFDCE52000-memory.dmp

Filesize
136KB

Download
memory/3040-17-0x000001CFDEFB0000-0x000001CFDF000000-memory.dmp

Filesize
320KB

Download
memory/3040-18-0x000001CFC2B90000-0x000001CFC2BA0000-memory.dmp

Filesize
64KB

Download
memory/3040-15-0x000001CFDCC40000-0x000001CFDCCA2000-memory.dmp

Filesize
392KB

Download
memory/3040-22-0x000001CFDCCF0000-0x000001CFDCD2A000-memory.dmp

Filesize
232KB

Download
memory/3040-14-0x000001CFC2290000-0x000001CFC27C4000-memory.dmp

Filesize
5.2MB

Download
memory/3040-24-0x000001CFDCD50000-0x000001CFDCE00000-memory.dmp

Filesize
704KB

Download
memory/3040-25-0x000001CFDCE80000-0x000001CFDCEF6000-memory.dmp

Filesize
472KB

Download
memory/3040-16-0x00007FFC4ACB0000-0x00007FFC4B771000-memory.dmp

Filesize
10.8MB

Download
memory/3040-27-0x000001CFDCE60000-0x000001CFDCE7E000-memory.dmp

Filesize
120KB

Download
memory/3040-29-0x000001CFDFF30000-0x000001CFE025E000-memory.dmp

Filesize
3.2MB

Download
memory/3040-31-0x000001CFC2B90000-0x000001CFC2BA0000-memory.dmp

Filesize
64KB

Download
memory/3040-34-0x00007FFC4ACB0000-0x00007FFC4B771000-memory.dmp

Filesize
10.8MB

Download
memory/3040-35-0x000001CFC2B90000-0x000001CFC2BA0000-memory.dmp

Filesize
64KB

Download
memory/3040-36-0x000001CFC2B90000-0x000001CFC2BA0000-memory.dmp

Filesize
64KB

Download
memory/3040-51-0x00007FFC4ACB0000-0x00007FFC4B771000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing